HIPAA Compliance for KeptPDF

PDF tools that don't touch your patients' data.

KeptPDF processes every PDF entirely in your browser. Nothing, including PHI, is ever uploaded to our servers.

Download the Compliance Pack ↓ See how it works

What we do (zero upload)

Every KeptPDF tool (redact, sign, merge, OCR) runs entirely in your browser via WebAssembly and JavaScript. The PDF you select never leaves your device.

You don't have to take our word for it. Open your browser's DevTools (F12 on Windows, ⌥⌘I on Mac), switch to the Network tab, and process a file. You will see zero requests carrying your PDF bytes: only the static JavaScript that does the work, plus a couple of tiny first-party pings (the tool's name, whether you're signed in) that never contain your file.

When you redact, KeptPDF flattens each affected page to an image before saving. The blacked-out text is removed from the file, not just hidden behind a box that could be copied out or peeled off. Every redaction also produces an audit certificate carrying the output's SHA-256 fingerprint, so you can prove the file wasn't altered afterward.

How our architecture affects HIPAA Business Associate analysis

Because all PDF processing happens locally in your browser, KeptPDF's servers never receive, store, or transmit your file contents or any protected health information. That is the factor HHS guidance treats as central to whether a vendor creates, receives, maintains, or transmits PHI under 45 CFR 160.103. Whether that means KeptPDF is a Business Associate is a determination you and your counsel should make. This is an informational summary, not legal advice.

HHS has not issued definitive guidance on browser-based web apps, and your compliance team may apply a stricter standard. For that case, the Compliance Pack below includes a BAA template based on HHS sample provisions, a starting point to review and adapt with your own counsel. Because PHI never reaches our servers, your counsel may conclude no BAA is needed. Either way, the template is yours to use if your policies call for one.

These materials are informational only and do not constitute legal advice. Consult qualified counsel before relying on them for HIPAA compliance determinations.

The Compliance Pack

Technical Privacy Brief: how KeptPDF processes your PDFs (architecture, subprocessors, retention)
BAA Template: a fillable starting point based on HHS sample provisions
README: how to use the pack with your compliance team

FAQ

Does KeptPDF need a signed BAA?

Probably not under HIPAA, since we never receive PHI. But many compliance programs require a BAA from any vendor whose software touches PHI as a matter of policy. Your compliance team decides, and the Compliance Pack includes a BAA template (HHS sample provisions) for them to review and adapt with your counsel.

What if my compliance officer insists on one?

Use the BAA template in the Compliance Pack. It's based on HHS sample provisions and is meant to be reviewed and adapted with your counsel. For other questions, email support@keptpdf.com.

Do you have audit logs?

Our servers log authentication events, billing events, and per-tool usage counts (the tool name only, never file content, names, sizes, or hashes). For per-document audit, every redaction generates a downloadable cryptographic audit certificate with input and output SHA-256 hashes.

What about your subprocessors?

Vercel (hosting), Stripe (billing), and Resend (transactional email). None of them ever receive PHI in the course of KeptPDF's normal operation. The Technical Privacy Brief in the Compliance Pack lists this in detail.

Is the redact tool good enough for HIPAA Safe Harbor?

KeptPDF detects 14 of the 18 PHI identifier categories listed in 45 CFR 164.514(b)(2)(i). Manual review is required for the remaining 4. Two of those, biometric identifiers and full-face photographs, are images rather than text and fall outside any text scanner's scope. Every redaction's audit certificate documents exactly which categories were scanned (the free tier as a text file, with Pro adding tamper-evident PDF and JSON formats), so you can prove the scope of automation to a reviewer.

Questions?

The Compliance Pack above includes a Technical Privacy Brief and a BAA template to review with your counsel. For anything else, email support@keptpdf.com.